campus network design best practicesbps.moph.go.th/new_bps/sites/default/files/campus...5 aruba...

Campus Network Design Best Practiceswith ArubaOS-CX

Aruba Campus TME - June 2018

2

Leading Practices

Features & Function

Performance Optimization

LeadingPractices

Platform Evolution

Field Experience

3

AgendaFocus Points

1 Campus Architecture

Aruba VSX Technology Overview2

Loop Protection4

3 Routing Design & Impact

5 Network Management

6 Miscellaneous

4

Campus Architectures

5

Aruba Mobile-First Solution ComponentsWired and wireless

– Core switches : 8400 / 8320

– Aggregation switches : 8320 / 8400 or 3810 / 5400R

– Access switches : 2930F / 2930M / 3810 / 5400R

– Mobility Controllers : 7280 / 7240 / 7220 / 7210 (AppRF, WebCC, UCC, Firewall),Mobility Master

– Access Points : AP3xx, AP2xx

– Policy Mngt server : ClearPass

– NMS : Airwave (Central)

– 3rd party Firewall and IPS

6

Aruba Mobile-First DesignImpact on core/aggregation design

▪ Distributed access:

– Wired endpoint traffic bypasses the Mobility Controller

▪ Centralized access using Dynamic Segmentation (“Role Based / Port Based” Tunneling technologies)

– All wired & wireless traffic goes through Mobility Controllers

– Core and aggregation switches are seen as underlay nodes

▪ Mix:

– most user traffic going through the Mobility Controller, some exception bypassing the Mobility Controller(Management traffic, edge/local servers, legacy access switches during migration)

7

Two-Tier Campus Network Small campus - STP

Access1 Access2 (VSF)VSF

member1 member2

Mobility

Controller

Cluster

FWs

Core_Agg1Default Gateway

Core_Agg2Default GatewayMC1

MC2

MobilityMaster

L2 link

L3 link

8

ISL

VSX

Two-Tier Campus Network Small campus - VSX


member1 member2

Mobility

Controller

Cluster

FWs



MC2

VSX LAGVSX LAG

MobilityMaster

L2 link

L3 link

9

ISL

VSX



member1 member2

Mobility

Controller

Cluster

FWs



MC2

VSX LAGVSX LAG

MobilityMaster

L2 link

L3 link

VSX LAG

10

ISL

VSX



member1 member2

Mobility

Controller

Cluster

FW (Act)



MC2

MCLAGMCLAG

MobilityMaster

L2 link

L3 link

FW (Sta)

11

ISL

VSX

Two-Tier Campus Network Traditional L2/L3 Model

Aruba Switch Proposal

Access LayerL2

Mobility Controller

L2

Aggregation Layer

L2 + L3

L3 Firewall

8320

2930F/M

Multi VRFs


member1 member2

Mobility

Controller

Cluster

FWs

MC1

MC2

MobilityMaster



L2 link

L3 link

12

When to split these 2 layers ?

Three-Tier Campus Network When to have separated Core and Aggregation Layers ?

▪ Number of access switches > number of ports in core switch

▪ Limited number of fibers between access and core(IDF required)

▪ Optics distance limitation between access and core (MDF)

▪ Off-loading L2 processes from the core for large scale

▪ Fault domains isolation:

– Easier manageability

– Better stability

– Higher scalability:ARP, MAC, template


member1 member2

Core1 Core2

Agg1 Agg2

MCLAGMCLAG

L2 link

L3 link

CORE Layer

AGG Layer

agg / core

13

ISL

VSX

Three-Tier Campus Network – medium size


member1 member2

Mobility

Controller

Cluster

Core1 Core2

FWs

Agg1Default Gateway

Agg2Default Gateway

MC1

MC2

MobilityMaster

Agg3 Agg4

Traditional Topology Main Floor Second Floor

L2 link

L3 link

VSX

14

Three-Tier Campus Network L2/L3 or routed access (L3 only) ?

L2 access - L2/L3 aggregation

Pros Cons

Well-known design

model

L2 Loop avoidance

requirements

VSX Benefits(MCLAG to avoid

Spanning Tree)

LACP requirement(for VSX LAG)

Large choice of

access switches

L3 access - L3 aggregation

Pros Cons

No L2 protocols,

no Spanning Tree

GRE/VXLAN extra

configuration for VLAN

spanning

Good interoperability Increase IPAM complexity

(try using /31)

Well-known OSPF design

Convergence Time

Not commonly used

by operational teams

Reduced ARP table size Access Platform

restrictions: OSPF and

potentially VRF support

15

Campus Size

Small CampusMedium Campus

(multiple floors)

Large Campus

(multiple buildings)

L2/L3 Model

2-Tier architecture:

collapsed Core/Aggregation layers.

Distributed or Centralized.


Separate Core, Aggregation and

Access layers



Separate Core, Aggregation and

Access layers


Inter-Core routing

L3 only Model(routed access)

Not attractive.

Centralized.

(Distributed if single VRF.)

Centralized.

(Distributed if single VRF.)

Inter-Core routing

16

VSXVSXVSX

Three-Tier Campus Network Mobility Controller attachment

To Core

• Core must perform L2 and L3

To dedicated aggregation switches

• Recommended for large number of dual-stack (v4+v6) clients

• Off-load L2/L3 processing from Core

• Fault Domain isolation between wireless and core

Core1Wireless

Default GW

Core2Wireless

Default GW

Mobility

Controller

Cluster

MC1

Agg1 Agg2

Core1 Core2

MC1

Agg1 Agg2MC2 Agg3Wireless

Default GW

Agg4Wireless

Default GW

MC2

L2 link

L3 link

17

ISL

VSX


Three-Tier Campus Network Traditional L2+L3


member1 member2

Mobility

Controller

Cluster

Core1 Core2

FWs

MC1

MC2

Access LayerL2

Mobility Controller

L2Aggregation

LayerL2 + L3

Core LayerL3

L3 Firewall

8400

8320

8400

8320

2930F/M

Multi VRFs

Multi VRFs

MobilityMaster

Agg1Default Gateway

Agg2Default Gateway

L2 link

L3 link

18

ISL

VSX


Core LayerL2+L3

L2 Firewall

Access LayerL2

Mobility Controller

L2

Aggregation Layer

L2 only

Three-Tier Campus Network In few cases: L2+L3 with L2 FW/IPS


member1 member2

Mobility

Controller

Cluster

FW1 FW2

Agg1 Agg2MC1

MC2

Core1Default Gateway


8400

8320

8400

8320

2930F/M

3810

No VRF dependency

5400R

Multi VRFs

MobilityMaster

L3 FWs

No VRF dependency

L2 link

L3 link

19

ISL

VSX

ISL

VSX


Access LayerL2

Mobility Controller

L2

Aggregation Layer

L2 only

Three-Tier Campus Network In few cases: L2+L3 with L2 FW/IPS


member1 member2

Agg1 Agg2

8400

8320

8400

8320

2930F/M

3810

No VRF dependency

5400R

MobilityMaster

Agg3 Agg4

Core LayerL2+L3

L2 FirewallFW1 FW2



Multi VRFs

L3 FWs

GRE

No VRF dependency

L2 link

L3 link

20

ISL

VSX

L3 Firewall


Access LayerL2

Mobility Controller

L2

Aggregation Layer

L2 only

Three-Tier Campus Network 10% of cases: L2+L3 with L3 FW


member1 member2

Mobility

Controller

Cluster

Agg1 Agg2MC1

MC2

8400

8320

2930F/M

3810

5400R

No VRF dependency

Multi VRFs

MobilityMaster

FW1Default Gateway

FW2Default Gateway

L2 link

L3 link

21

ISL

VSX


Three-Tier Campus Network L3 Access Model for Centralized Access


member1 member2

Mobility

Controller

Cluster

Core1 Core2

FWs

Agg1 Agg2MC1

MC2

Access LayerL3

Mobility Controller

L2

Aggregation Layer

L3

Core LayerL3

L3 Firewall

8400

8320

8400

8320

2930F/M

Multi VRFs

Multi VRFs

MobilityMaster

No VRF dependencywith Dynamic Segmentation

L2 link

L3 link

22

VSX VSX VSXVSX

Three-Tier Campus NetworkLarge Campus with dark fibers

Building 1 - Main Floor

Building 1 – Second Floor

Core1Wireless

Default GW

Core2Wireless

Default GW

Mobility

Controller

Cluster

MC1

Agg1 Agg2MC2

Building 2 – Main Floor

Core3

Agg5 Agg6

Core4

Agg3 Agg4 Agg7 Agg8


23

VSX VSX VSXVSX

Three-Tier Campus NetworkLarge Campus with reduced number of fibers (square routing)



Core1Wireless

Default GW

Core2Wireless

Default GW

Mobility

Controller

Cluster

MC1

Agg1 Agg2MC2


Core3

Agg5 Agg6

Core4

Agg3 Agg4 Agg7 Agg8


24

VSX VSX VSXVSX

Three-Tier Campus NetworkLarge Campus with dark fibers and L2 extension



Core1Wireless

Default GW

Core2Wireless

Default GW

Mobility

Controller

Cluster

MC1

Agg1 Agg2MC2


Core3

Agg5 Agg6

Core4

Agg3 Agg4 Agg7 Agg8


MC3

MC4

25

VSX VSX VSXVSX

Large Campus NetworkNo inter-building L2 extension: use mobile-first design with Dynamic Segmentation



L2 link

L3 link

Core1Wireless

Default GW

Core2Wireless

Default GW

Mobility

Controller

Cluster

MC1

Agg1 Agg2MC2


Core3

Agg5 Agg6

Core4

Agg3 Agg4 Agg7 Agg8


Provider Managed

26

Distribution Switch SelectionSizing Considerations

• The current max scaling is 100,000 clients per Mobility Controllers Cluster.

• Larger deployments require multiple clusters each with their own distribution layer switches.

• Switch capacity drives the number of supported clients per Mobility Controller Clusters module.

Switch SeriesARP

Max. IPv4 Addresses

ND

Max. IPv6 Addresses

ARP/ND

Max. IPv4+IPv6 Addresses

(dual-stack)

1 IPv4

1 IPv6 Link-Local

1 IPv6 SLAAC or DHCPv6

Aruba 3810 Series 25 000 12 500 8 300 5 000

Aruba 5400R Series 25 000 12 500 8 300 5 000

Aruba 8320 Series 125 000 57 344 38 200 23 000

Aruba 8400 Series 131 072 65 536 65 536 32 768

27

Aruba Virtual Switching Extension (VSX)Overview

28

Aruba Virtual Switching ExtensionVSX Principles

▪ High Availability by design during upgrades

▪ Support for active-active data-path:• Active-active L2• Active-active L3 unicast• Active-active L3 multicast*

▪ Operational simplicity and usability:• for configuration• for troubleshooting

▪ Similar VSF benefits with better HA during upgrade

ISL

VSX

* This requires future ArubaOS-CX release

29

VSXvPC

MLAG

Switch Virtualization SolutionsComparison

Chassis 1 Chassis 2

Management

Control

Routing

Chassis 1 Chassis 2

Management

Control

Routing

Ethernet Links

Shared

Management

Control

Routing

Ethernet Links

Shared

SYNC?SYNC(*)

(*) different levels of synchronization

ISL

VSF

member1 member2VSFVSSIRF

Virtual Chassis

VSX

30

ISL

VSX

First hop VIP

VSX Benefits

Mobility

Controller

Cluster

L2 link

L3 link

Access

SW1

ArubaOS-CX

Agg-18320 / 8400

Access

SW2

ArubaOS-CX

Core-18320 / 8400

ArubaOS-CX

Core-28320 / 8400

• Dual control plane for better resiliency• Unified management (synchronized configuration and easy troubleshooting)• Independently software upgradable with near zero downtime• In-chassis redundancy (8400) & device level redundancy

Control Plane

• No spanning-tree• Loop-free L2 multi-pathing (active-active)• Rapid failover• Simple configuration

L2 Distributed LAGs (Agg to Acc)

• Distributed L3 over VSX pair (various options: ROP, SVIs or LAG’d SVIs)• Unified data path (active-active first hop gateway)• L3 ECMP + L2 VSX (highly fault tolerant)

L3 Distributed LAGs (Core to Agg)

• Active-Active first hop gateway (VIP)• No VRRP/HSRP• Simple configuration (1 command)• No gateway protocol overhead• DHCP relay redundancy

Active Gateway

VSX LAG 20VSX LAG 10VSX LAG 30

VSX LAG 101

ArubaOS-CX

Agg-28320 / 8400

VSX LAG 102

31

ISL

VSX

First hop VIP

VSX - Data Plane VirtualizationMulti-Chassis Link Aggregation (MCLAG)

VSX LAG 20

Mobility

Controller

Cluster

Access

SW1

ArubaOS-CX

Agg-18320 / 8400

ArubaOS-CX

Agg-28320 / 8400

Access

SW2

ArubaOS-CX

Core-18320 / 8400

ArubaOS-CX

Core-28320 / 8400

VSX LAG 10VSX LAG 30

VSX Pair

Distribution

LAG 20

Mobility

Controller

Cluster

Access

SW1Access

SW2

LAG 30

First hop VIP

LAG 101

LAG 10

VSX LAG 101 VSX LAG 102

ArubaOS-CX

Core-18320 / 8400

ArubaOS-CX

Core-28320 / 8400

LAG 102

L2 link

L3 link

32

ISL

VSX

First hop VIP

VSX LAGExtend link-aggregation to ports on different chassis

▪ MCLAG:

– ports distributed on two chassis (same speed)

– Inter-Switch Link (ISL)

• Used to exchange management and control information

• data traffic between the member chassis(no encapsulation)

• Can be a single port or a LAG

– is seen by the LAG peer as a single group with all the ports on the same switch peer ID

– layer 2 only

– LACP mode: ACTIVE (default)

▪ Active gateways:

– are virtual IP/MAC addresses pairs

– no need for VRRP (mutually exclusive)

– are defined at VLAN interface level for each VLAN transported across the MC-LAG

– are the same on both chassis


member1 member2

Agg1Active Gateway vIP

Active Gateway vMAC


Active Gateway vMAC

MC-LAG

LAG (lacp trunk)

33

VSX MCLAGL2 Configuration Example

Access1

ISL

Access2 (VSF)VSF

member1 member2

MC-LAG

LAG (lacp trunk)

LAG1

LAG11 LAG12

VLAN 10

1/1/1 1/1/2 1/1/1 1/1/2


Active Gateway vMAC


Active Gateway vMAC

1/3/1

1/8/1

1/3/1

1/8/1

trunk 25-26 trk1 lacp

25 26

interface lag 11 multi-chassis

description access-sw1

no shutdown

no routing

vlan trunk native 1

vlan trunk allowed 5,10,15,20

lacp mode active

interface lag 12 multi-chassis

description access-sw2

no shutdown

no routing

vlan trunk native 1

vlan trunk allowed 5,10,15,20

lacp mode active

interface 1/1/1

no shutdown

lag 11

interface 1/1/2

no shutdown

lag 12

34

VSX MCLAGL3 Active/Active Configuration Example

Access1

ISL

Access2 (VSF)VSF

member1 member2

MCLAG

LAG (lacp trunk)

LAG1

LAG11 LAG12

VLAN 10

1/1/1 1/1/2 1/1/1 1/1/2


Active Gateway vMAC


Active Gateway vMAC

1/3/1

1/8/1

1/3/1

1/8/1

25 26

vrf vrf1

interface vlan10

vrf attach vrf1

ip address 10.10.10.3/26

active-gateway ip 10.10.10.1 00:00:00:00:10:01

vrf vrf1

interface vlan10

vrf attach vrf1

ip address 10.10.10.2/26

active-gateway ip 10.10.10.1 00:00:00:00:10:01

35

Routing Design & Architecture ImpactUsing VSX

36

VSX LAG and upstream routingConstraints Diversity

▪ L2 or L3 links with upstream core nodes ?

▪ Static ? OSPF ? BGP ?

▪ Single VRF / Multiple VRF

▪ Sizing / limitations

▪ Best practice for HA

VSX


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Transit VLAN

Transit VLAN

LAG

MCLAG MCLAG?

?

?

?

L2 link

L3 link

▪ In all scenarios, the 2 VSX switches run independent control planes (OSPF/BGP) and present

themselves as different routers with their own Router_IDs in the network.

▪ In the data path however, they function as a single router and support active-active forwarding.

37

DefinitionSVI / ROP

▪SVI:

– A Switched Virtual Interface (SVI) is a logical Layer 3 interface configured per VLAN (one-to-one mapping) that perform all Layer 3 processing for packets to or from all switch ports associated with that VLAN.

▪ROP:

– A Routed Only Port is a physical port on a switch that process all Layer 3 functions for packets to or form the said port without any binding to VLAN processing.

38

L3 Link Aggregation

Features / Practices

– L3 LAG are supported

– Configuration developed/tested using L3.

– 128 LAG interfaces Max

– Can use up to 8 interfaces per LAG

– Optimal design uses LAGs between L3 blocks(see reference topology)

CLIConfigure the LAG interface

interface lag <LAG-ID>

description LAG to Core Switch 1

no shutdown

lacp mode active

ip address <IP-ADDR>/<Prefix-Len>

Associate member links with the LAG interface

interface <IFACE-ID>

description LAG to Core Switch 1

no shutdown

lag <LAG-ID>

39

VSX

Transit VLAN

Transit VLAN

VSX

Transit VLAN

Transit VLAN

VSX

Transit VLAN

Transit VLAN

Upstream Connectivity OptionsROP, SVIs, MCLAG SVIs

VSF

member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

VSF

member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

VSF

member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

ROP(single VRF)

VSX LAG SVIsSVIs(multiple VRFs)

Optimize IPAM with usage of /31 for L3 point-to-point

L2 link

L3 link

p2p L3 links

L3 LAG

L2 links

L2 LAG with VSIs

VRF1Transit VLAN 101






VLAN 103

VLAN 203

VLAN 303

VLAN 104

VLAN 204

VLAN 304







L2 LAG with VSIs

40

VSXVSX

Three-Tier Campus Network – Topologies & Routing


member1 member2

Core1 Core2

Agg2Default Gateway

ECMP or LAG - multiple VRFs


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

ECMP MCLAG

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

LAG

MCLAG MCLAG




Agg1Default Gateway
















VRF3: 10.3.1.0/24

10.3.1.0/24 Agg1-IP VLAN301

10.3.1.0/24 Agg2-IP VLAN303

10.3.1.0/24 Agg1-IP VLAN301

10.3.1.0/24 Agg2-IP VLAN301

VRF3: 10.3.1.0/24

L2 link

L3 link

OSPF point-to-point OSPF broadcast

41

VSX

Transit VLAN

Transit VLAN

VSX

Transit VLAN

Transit VLAN

VSX

Transit VLAN

Transit VLAN

Upstream Connectivity OptionsROP, SVIs, MCLAG SVIs

VSF

member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

VSF

member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

VSF

member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

ROP(single VRF)

VSX LAG SVIsSVIs(multiple VRFs)

L2 link

L3 link

p2p L3 links

L3 LAG

L2 links

L2 LAG with VSIs







VLAN 103

VLAN 203

VLAN 303

VLAN 104

VLAN 204

VLAN 304







42

OSPF area 0

VSX

OSPF area 0

VSX

OSPF area 0

Upstream routing over point-to-point linksMultiple VRF - SVIs - OSPF

VSF

1/2/1

1/3/1

1/2/1

1/3/1

1/2/2 1/2/21/3/2 1/3/2

1/1/1

1/2/1

1/3/1

1/2/1

1/3/1

1/1/11/1/2 1/1/2

vlan10 AG: 10.10.10.1/24vlan10 IP: 10.10.10.2/24

vlan10 AG: 10.10.10.1/24vlan10 IP: 10.10.10.3/24

ISL (LAG1)

vlan 1192 vlan 1192

OSPF peering

over transit-vlan1192

vlan 1192 vlan 1192

OSPF peering


OSPF point-to-point

8400-3L0: 10.0.1.3/32

vlan1192 IP: 192.168.2.6/24

8400-4L0:10.0.1.4/32

vlan1192 IP: 192.168.2.7/24

8400-1L0: 10.0.1.1/32

vlan1192 IP: 192.168.2.2/24

8400-2L0:10.0.1.2/32

vlan1192 IP: 192.168.2.3/24

vrf1

vlan 2192 vlan 2192

OSPF peering


vlan 2192 vlan 2192

OSPF peering


OSPF point-to-point

vrf2

vlan 3192 vlan 3192

OSPF peering


vlan 3192 vlan 3192

OSPF peering


OSPF point-to-point

vrf3

vlan 101 vlan 103 vlan 104 vlan 102



OSPF VRF1

OSPF VRF2

OSPF VRF3

▪ OSPF point-to-point

VSX

43

VSX

Transit VLAN

Three-Tier Campus Network – Topologies & RoutingTriangles converge faster than square

ECMP + Triangles

• Fast - No convergence needed

Square

• Routing convergence


member1 member2

Core1 Core2

Agg1 Agg2


member1 member2

Core1 Core2

Agg1 Agg2

Routing updates

VSX

Transit VLAN

Transit VLAN

Transit VLAN

route already in FIB

new route has to be set in FIB

L2 link

L3 link

44

VSXVSX



member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

MC-LAGMC-LAG

ECMP or LAG - single VRF


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

ECMP MCLAG

8400-2# show ip ecmp

ECMP Configuration

---------------------

ECMP Status : Enabled

ECMP Load Balancing by

------------------------

Source IP : Enabled

Destination IP : Enabled

Source Port : Enabled

Destination Port : Enabled

8400-1(config-ospf-1)# maximum-paths

<1-8> Number of ECMP routes. Default is 4.

8400-1(config)# lacp hash

l2-src-dst Base the hash on l2-src-dst



Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

LAG

MCLAG MCLAG

L2 link

L3 link

45

VSXVSX



member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

More redundancy with recommended additional links - square


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

Link failure protection would require area 0 on Agg layer

Port from Line Card A

Port from Line Card B

L2 link

L3 link

46

VSXVSX



member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

More redundancy with recommended additional links - triangles


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

Link failure protection would require area 0 on Agg layer

Port from Line Card A

Port from Line Card B

L2 link

L3 link

47

VSX

Three-Tier Campus Network – Topologies & RoutingSet your redundancy limit


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Worth it ?

VSX

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

VSX

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

L2 link

L3 link

48

VSX

VSX

VSX


Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Core question : VSX - to be or not to be ?


member1 member2

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

VSX

Core1 Core2

Agg1Default Gateway

Agg2Default Gateway

Option for some cases

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

Transit VLAN

L2 link

L3 link

49

VSXVSX

ISL

VSX

Three-Tier Campus Network TopologiesVSX to help resiliency in Square Topology

Core nodes with VSX

• Fast – No convergence

Legacy Core nodes

• Routing convergence


member1 member2

Core1 Core2

Agg1 Agg2


member1 member2

Core1 Core2

Agg1 Agg2

Routing updates

Transit VLAN

Transit VLAN

route NH is unchanged

VSX Active-forwarding

new route has to be set in FIB

50

Upstream routing to IRF CoreWithout VSX Active-Forwarding

▪ OSPF broadcast

▪ Additional ISL sizing considerations:

– Statistically, 50% of data traffic will cross ISL and add one L3 node on the data-path

– ISL BW á uplinks BW OSPF area 0

OSPF peering


OSPF broadcast

Access

SW110.0.1.11/32

Access

SW2 (VSF)10.0.1.12/32

VSF

member1 member2

1/1/1 1/1/2

1/2/1

1/3/1

1/2/1

1/3/1

1/2/2 1/2/2

1/1/1 1/1/2

1/0/49 2/0/49

IRF

member1 member2

LAG 2

8400-1L0: 10.0.1.1/32

vlan192 IP: 192.168.2.2/24

vlan192_mac: 94:f1:28:1d:0f:00

8400-2L0:10.0.1.2/32

vlan192 IP: 192.168.2.3/24

vlan192_mac: 94:f1:28:1d:ad:00

vlan10 AG: 10.10.10.1/24vlan10 IP: 10.10.10.2/24

vlan10 AG: 10.10.10.1/24vlan10 IP: 10.10.10.3/24

LAG 10 LAG 20

Vlan 10

vlan 192 vlan 192

vlan 192

ISL (LAG1)

test-server10.99.0.11/32

Core 3L0: 10.0.1.3/32

vlan192: 192.168.2.5/24

br2_mac: 4431-9282-8b37

client IP: 10.10.10.11/24Client MAC1

SMAC 44:31:92:82:8b:37

DMAC 94:f1:28:1d:0f:00

SIP 10.99.0.11

DIP 10.10.10.11

VLAN 192

I/F BAGG2

SMAC 44:31:92:82:8b:37

DMAC 94:f1:28:1d:0f:00

SIP 10.99.0.11

DIP 10.10.10.11

VLAN 192

I/F lag1

SMAC 94:f1:28:1d:0f:00

DMAC Client_MAC1

SIP 10.99.0.11

DIP 10.10.10.11

VLAN 10

I/F lag10(mc)

51

OSPF area 0

OSPF peering


OSPF broadcast

Upstream routing to IRF CoreWith VSX Active-Forwarding

▪ No data traffic over ISL in nominal case.

▪ Each VSX node configures the VSX peer MAC as their own MAC (as a additional MAC)

▪ 8400-2 will process L3 function for the received packet as the DMAC is equal the its VSX peer MAC.

Access

SW110.0.1.11/32

Access

SW2 (VSF)10.0.1.12/32

VSF

member1 member2

1/1/1 1/1/2

1/2/1

1/3/1

1/2/1

1/3/1

1/2/2 1/2/2

1/1/1 1/1/2

1/0/49 2/0/49

IRF

member1 member2

LAG 2

8400-1L0: 10.0.1.1/32

vlan192 IP: 192.168.2.2/24

vlan192_mac: 94:f1:28:1d:0f:00

8400-2L0:10.0.1.2/32

vlan192 IP: 192.168.2.3/24

vlan192_mac: 94:f1:28:1d:ad:00

vlan10 AG: 10.10.10.1/24vlan10 IP: 10.10.10.2/24

vlan10 AG: 10.10.10.1/24vlan10 IP: 10.10.10.3/24

LAG 10 LAG 20

Vlan 10

vlan 192 vlan 192

vlan 192

ISL (LAG1)

test-server10.99.0.11/32

Core 3L0: 10.0.1.3/32

vlan192: 192.168.2.5/24

br2_mac: 4431-9282-8b37

client IP: 10.10.10.11/24Client MAC1

SMAC 44:31:92:82:8b:37

DMAC 94:f1:28:1d:0f:00

SIP 10.99.0.11

DIP 10.10.10.11

VLAN 192

I/F BAGG2

interface vlan 192

vsx active-forwarding

SMAC 94:f1:28:1d:ad:00

DMAC Client_MAC1

SIP 10.99.0.11

DIP 10.10.10.11

VLAN 10

I/F lag10(mc)

52

VSX and Upstream RoutingSupported Scenarios

Single VRF Multiple VRFs

L3 port (ROP) L2 port (SVI) MCLAG (SVI) L3 port (ROP) L2 port (SVI) MCLAG (SVI)

staticYes

(simplest)yes yes not yet yes yes

OSPFYes


BGPYes


53

VRF32 VRFs

– Default VRF

– 31 network VRF

– “mgmt” VRF (Management-Plane only, not accessible from data-plane)

54

OSPFv2


– Define an OSPF Router-IDIdeally being equal to loopback address

– Define the associated VRF

– Use Passive-Default

– Enable OSPF on loopback interface

– Authenticate OSPF adjacencies

– Define OSPF Network Types

– Define OSPF Priority

– Minimize number of OSPF neighborsMax = 32

– Route-map support for controlled redistribution

CLIrouter ospf 10

router-id 10.10.10.10

passive-interface default

area 0.0.0.0

router ospf 11 vrf vrf1

router-id 11.11.11.11

passive-interface default

area 0.0.0.0

interface loopback 0

ip address <IP-ADDR>/<Prefix-Len>

ip ospf <PROCESS-ID> area <AREA-ID>

no ip ospf <PROCESS-ID> passive

ip ospf authentication message-digest

ip ospf message-digest-key md5 ciphertext <CIPHER>

interface 1/1/1

vrf attach vrf1

ip address 172.20.21.21/24

ip ospf 10 area 0.0.0.0

no ip ospf 10 passive

ip ospf network point-to-point

ip ospf message-digest-key md5 ciphertext <CIPHER>

55

L3-counters

8400-2# show interface 1/10/7

Interface 1/10/7 is up

Admin state is up

Description:

Hardware: Ethernet, MAC Address: 94:f1:28:1d:ad:00

IPv4 address 192.168.10.2/29

MTU 1500

Type SFP+SR

qos trust none

Speed 10000 Mb/s

L3 Counters: Rx Disabled, Tx Disabled

Auto-Negotiation is off

Input flow-control is off, output flow-control is off

Rx

287617 input packets 26387794 bytes

0 input error 0 dropped

0 CRC/FCS

L3:

0 packets, 0 bytes

Tx

287618 output packets 26387909 bytes


0 collision

L3:

0 packets, 0 bytes

8400-2(config)# int 1/10/7

8400-2(config-if)# l3-counters

rx Enable Rx L3 counters

tx Enable Tx L3 counters

<cr>



Admin state is up

Description:

Hardware: Ethernet, MAC Address: 94:f1:28:1d:ad:00

IPv4 address 192.168.10.2/29

MTU 1500

Type SFP+SR

qos trust none

Speed 10000 Mb/s

L3 Counters: Rx Enabled, Tx Enabled

Auto-Negotiation is off

Input flow-control is off, output flow-control is off

Rx

287643 input packets 26390184 bytes


0 CRC/FCS

L3:

0 packets, 0 bytes

Tx

287644 output packets 26390299 bytes


0 collision

L3:

0 packets, 0 bytes

8320 / 8400

56

Loop Protection

57

MCLAGAnd L2 loop avoidance mechanism

▪ VSX LAG is mutually exclusive with Spanning tree:

▪ Instead, use loop-protect functionality

▪ On MCLAG interface or on individual L2 ports

▪ Not on ISL

▪ Not on L3 port

▪ For configuration:

• loop-protect on the interface

• + per VLAN

• Limited to 4k port-VLAN pairs(i.e. 1 port configured for 4K VLANs, or 4 ports configurable over 1K VLANs etc.)

• loop-protect actions:– do-not-disable Do not disable the sending port when a loop is detected

– tx-disable Disable the sending port when a loop is detected

– tx-rx-disable Disable the sending and receiving port when a loop is detected

8320-1(config)# spanning-tree

Cannot enable spanning-tree, While MC-LAG

enabled.

8320-1(config-lag-if)# loop-protect

Loop-Protect should not be enabled on VSX inter-switch-link interface

8320-1(config-lag-if)# loop-protect

Interface is not L2. Disable routing on the interface.

58

Loop-protectNative VLAN 1

No loop detected on 1/1/4

8320-1# show loop-protect 1/1/4

Status and Counters - Loop Protection Information

Transmit Interval : 5 (sec)

Port Re-enable Timer : Disabled

Interface 1/1/4

Loop-protect enabled : Yes

Action on loop detection : TX disable

Loop detected count : 0

Loop detected : No

Interface status : down

Loop detected on 1/1/3

8320-1# show loop-protect 1/1/3




Interface 1/1/3




Loop detected : Yes

Detected on VLAN : 1

Detected at : 2018-03-09T14:25:41


1/1/3 1/1/4

60

Loop-protectPer VLAN

8320-1# show loop-protect




Interface 1/1/3


Loop-Protect enabled VLANs : 111



Loop detected : Yes


Detected at : 2018-03-09T14:49:37


Interface 1/1/4





Loop detected : No


Interface lag11




Loop detected : No

Interface status : up

1/1/3 1/1/4

interface 1/1/3

no shutdown

no routing

vlan trunk native 1 tag

vlan trunk allowed 111

loop-protect

loop-protect vlan 111

interface 1/1/4

no shutdown

no routing

vlan trunk native 1 tag

vlan trunk allowed 111-112

loop-protect

loop-protect vlan 111

61

Loop protection with access switchesLoop on access switches

2018-03-09:15:05:05.496305|hpe-MC-LAGd|7011|LOG_INFO|AMM|-|MC-LAG 11 state local up, remote down

2018-03-09:15:06:23.575126|hpe-lpd|2801|LOG_WARN|AMM|-|Port lag11 is disabled by Loop-protection after loop detection

2018-03-09:15:06:23.575332|hpe-lpd|2807|LOG_INFO|AMM|-|Loop-Protection stats cleared for port lag11


2018-03-09:15:06:23.594403|intfd|404|LOG_INFO|AMM|-|Link status for interface 1/1/1 is down

2018-03-09:15:06:23.599112|lacpd|1321|LOG_INFO|AMM|-|LAG 11 State change for interface 1/1/1: Actor state: ALFO,

Partner state ASFNCD

2018-03-09:15:06:23.762252|hpe-MC-LAGd|7014|LOG_INFO|AMM|-|MC-LAG 11 state local down, remote down



8320-1# show loop-protect




Interface lag11





Loop detected : Yes


Detected at : 2018-03-09T15:06:23


Interface lag12





Loop detected : No


8320-1# show interface brief

--------------------------------------------------------------------------------

--

Port Native Mode Type Enabled Status Reason

Speed

VLAN

(Mb/s)

--------------------------------------------------------------------------------

--

1/1/1 1 trunk SFP+SR yes down Disabled by feature --

lag11 1 trunk -- yes down -- auto

ISL

8320-1 8320-2

2930-3 2930-4

LP configured LP configured

LP NOT

configured

LP NOT

configured

1/1/1 1/1/2

62

Loop-Protect8320-2 does not see the loop

2018-03-09:15:06:23.764864|hpe-MC-LAGd|7014|LOG_INFO|AMM|-|MC-LAG 11 state local down, remote down

2018-03-09:15:06:55.737581|lldpd|106|LOG_INFO|AMM|-|LLDP neighbor e0:07:1b:c2:b5:e0 deleted on 1/1/1

8320-2# sh loop-protect

Status and Counters - Loop Protection

Information

Transmit Interval : 5

(sec)

Port Re-enable Timer :

Disabled

Interface lag11



Action on loop detection : TX

disable


Loop detected : No


Interface lag12



Action on loop detection : TX

disable


Loop detected : No

Interface status : up

ISL

8320-1 8320-2

2930-3 2930-4

LP configured LP configured

LP NOT

configured

LP NOT

configured

1/1/1 1/1/2

63

Loop-protectRestore

▪ By default, when a loop is detected, the interface is blocked until loop-protect is disabled.

▪ Use re-enable-timer

▪ After configured timer, the port will be re-enable.If loop is persistent, loop-protect will block again the interface.

8320-1(config)# loop-protect re-enable-timer

<15-604800> Enter the re-enable time interval for enabling blocked port (Default : Disabled)

64

Network Management

65

Switch ManagementIn-Band / Out-of-Band


▪ mgmt VRF

▪ interface mgmt

– 1 port on 8320, 2 ports on 8400 (with 2 MMs)

– Attached to mgmt VRF (can not be modified).

– prefer static IP address assignment

– default-gateway: out-of-band L3 network management infrastructure switch

– no ACL (yet)(ACL has to be set on management infrastructure)

▪ No ACL on ssh or https services

▪ Shell and mgmt VRF

CLIhostname CORE-8400-1

8400-1(config)# ip dns

domain-list Configure list of domains to which DNS request is

sent to complete unqualified host names

domain-name Configure default domain name

host Add an entry to the IP hostname table

server-address Configure DNS server IP address

ip dns domain-name aruba.hpe.com

ip dns domain-list aruba.hpe.com

ip dns host logbox 10.20.3.4 vrf mgmt

ip dns server-address 8.8.8.8


switch(config)#banner motd <delimiting character>

switch(config)#banner exec <delimiting character>

66

Secure Shell


▪ Must be enabled per VRF.

▪ Can be enabled simultaneously for multiple VRFs.

▪ Telnet service is not available.

▪ Currently, no source IP address protection on SSH service.

CLI

ssh server vrf mgmt

ssh sever vrf default

ssh sever vrf vrfA

67

Web-UI


▪ Web-UI is disabled by default

▪ https only (no http)

▪ Must be assigned to a VRF

▪ Can be assigned to ‘default’ or any other VRF

▪ Can be assigned simultaneously to multiple VRFs

▪ API is accessible in read-only or read-write

▪ No source IP address protection on https service

CLI

https-server vrf <VRF NAME>

https-server rest access-mode read-write

68

Basic’sHostname, domain-name, dns, banner


▪ Configure a hostname, domain name, and name server(s)

▪ If DNS is not available, local host entries can be made. Note that locally defined host entries are unique to each VRF

▪ Configure a Message of the day (MOTD) and an login (exec) banner

CLIhostname CORE-8400-1

8400-1(config)# ip dns

domain-list Configure list of domains to which DNS request is

sent to complete unqualified host names

domain-name Configure default domain name

host Add an entry to the IP hostname table

server-address Configure DNS server IP address

ip dns domain-name aruba.hpe.com

ip dns domain-list aruba.hpe.com

ip dns host logbox 10.20.3.4 vrf mgmt



switch(config)#banner motd <delimiting character>

switch(config)#banner exec <delimiting character>

69

SNMP


▪ Configure SNMP to send traps to no more than 2 NMS systems

▪ Use SNMPv3 if supported by NMS

▪ Note: CX does NOT support SNMP SET commands

▪ snmp-server can only be enabled in “mgmt” or “default” VRFs.If enabled on both VRFs, it will only work on default, as it takes precedence.

CLI8400-1(config)# snmp-server

agent-port Configure UDP port to reach SNMP Master Agent

community The name of the community string. Default is public

host Configure SNMP trap or inform

system-contact Configure system contact

system-description Configure system description

system-location Configure system location

vrf Specify VRF to run SNMP on

snmp-server agent-port 161

snmp-server vrf mgmt.

snmp-server system-description TME 8400-1

snmp-server system-location Roseville

snmp-server system-contact TME

snmp-server community ArubA

version 2c

snmp-server host 10.0.1.5 trap version v2c community public

version 3

snmpv3 user myuser auth md5 auth-pass myauthpass priv aes priv-pass myprivpass

snmp-server host 10.0.1.5 trap version v3 user NETMGMT

70

Logging


▪ Define no more than two logging destinations

▪ Syslog traffic is supported on a single VRF (any).By default the default VRF.

▪ Note: Default logging facility is 3.

CLIlogging 10.2.3.4 vrf vrf1logging 10.4.3.5logging log-server_name

8400-1(config)# logging facilitylocal0 Local 0local1 Local 1local2 Local 2local3 Local 3local4 Local 4local5 Local 5local6 Local 6local7 Local 7

8400-1(config)# logging 10.2.6.4include-auditable-events Forward auditable logs to the remote syslog

serverseverity Forward syslog messages of specified

severity andabove (Default:info)

tcp Forward syslog messages using TCP protocoludp Forward syslog messages using UDP protocol

(Default)vrf VRF used to connect to remote syslog

server(Default:default)<cr>

show events

71

Network Time Protocol (NTP)


▪ associate NTP with appropriate VRF(for first release: default or mgmt vrf)

▪ Define up to two NTP servers

– Use prefer command for “most preferred server”

▪ Use ‘iburst’ option to speed-up NTP sync process

▪ Set the timezone appropriately

▪ To reduce time to synchronize with NTP server, set the date and time before entering the NTP server command

CLIntp vrf mgmt.ntp server 1.1.1.1 iburst preferntp server 2.2.2.2 iburstclock timezone <timezone>

8400-1# sh ntp statusNTP is enabledNTP authentication is disabledNTP is using the management port (oobm) for NTP server connectionsWed Feb 28 16:06:37 CET 2018NTP uptime: 8 days, 5 hours, 48 minutes, 31 secondsSynchronized to NTP Server 15.136.40.60 at stratum 3Poll interval = 1024 secondsTime accuracy is within 2.930 secondsReference time: Wed Feb 28 2018 15:47:06.725 as per Europe/Paris timezone

8400-1# sh ntp associations----------------------------------------------------------------------ID NAME REMOTE REF-ID ST LAST POLL REACH----------------------------------------------------------------------* 1 15.136.40.60 15.136.40.60 16.110.135.123 3 594 1024 377----------------------------------------------------------------------

8400-1# sh ntp statisticsRx-pkts 1400211

Current Version Rx-pkts 0Old Version Rx-pkts 750

Error pkts 0Auth-failed pkts 0

Declined pkts 0Restricted pkts 0

Rate-limited pkts 0KOD pkts 0

8400-1# sh ntp servers------------------------------------------------

NTP SERVER KEYID MINPOLL MAXPOLL OPTION VER------------------------------------------------

15.136.40.60 - 6 10 none 3------------------------------------------------

72

sFlow


▪ Set sflow agent-ip to loopback address of the switch

▪ Supports up to 3 collectors, generally see no more than 2

▪ Use default sampling and polling timers unless you have a specific reason to change them

▪ Collect info from ‘meaningful’ interfaces:

– On Core: links to Service Aggregation blocks

– On Agg: links to Access blocks and Controllers

▪ Don’t enable sFlow on all interfaces

▪ Can be enabled on a lag interface

CLISflowsflow agent-ip <IP-ADDR>sflow collector <IP-ADDR>sflow sampling 4096sflow polling 30interface <IFACE-ID>sflow

swag-a1# show sflow

sFlow Global Configuration-----------------------------------------sFlow enabledCollector IP/Port/Vrf 10.80.2.200/6343/defaultAgent Address 10.224.68.10Sampling Rate 4096Polling Interval 30Header Size 128Max Datagram Size 1400

sFlow Status-----------------------------------------Running – No

Collector Status----------------10.80.2.200/6343/default - Not reachable

sFlow Statistics-----------------------------------------Number of Samples 0

8400-1# sh sflow int 1/3/8

sFlow Configuration - Interface 1/3/8-----------------------------------------sFlow enabledSampling Rate 4096Number of Samples 0sFlow Sampling Status success

73

Logrotate and Log files


– 3 log files:

– Event logs stored in the /var/log/event.log file.

– Authentication logs stored in the /var/log/auth.log file.

– Audit logs stored in the /var/log/audit/audit.log file

– Define logrotation size/frequency

– Keep default: 100MB, daily

– Export to tftp://<server_ip>

CLIlogrotate target tftp://15.136.40.99

74

Miscellaneous

75

Role-Based Authentication


▪ Use TACACS for authentication and authorization

▪ Define local accounts as backup

▪ DO NOT use the ‘aaa authentication allow-fail-through’

CLIConfigure TACACS

switch(config)# tacacs-server key SECRETKEY

switch(config)# tacacs-server host 10.0.0.101

Configure AAA authentication to TACACS with local fallback

switch(config)# aaa authentication login default group tacacs local

Configure AAA authorization *

switch(config)# aaa authorization commands default group tacacs

Configure Local User Account

switch(config)# user backup-admin group administrators password

Adding user backup-admin

Enter password:************

Confirm password:************

Show Commands To Validate Functionality

switch# show tacacs-server detail

switch# show aaa authentication

switch# show aaa authorization

(*) RADIUS server groups are not allowed to be configured as a AAA authorization method because RADIUS command authorization is unsupported.

76

Control Plane PolicyCoPP


▪ Factory-default copp-policy

CLI8320-1# sh copp-policy factory-default

class drop priority rate pps burst pkts hardware rate pps

--------------------- ---- -------- -------- ---------- -----------------

acl-logging 0 50 50 50

arp-broadcast 3 7000 7000 7000

arp-unicast 4 2500 2500 2500

bgp-ipv4 6 1500 1500 1500

bgp-ipv6 6 1500 1500 1500

dhcp-ipv4 1 1000 1000 1000

dhcp-ipv6 1 1000 1000 1000

hypertext 5 150 150 150

icmp-broadcast-ipv4 3 2000 2000 2000

icmp-multicast-ipv6 3 2000 2000 2000

icmp-unicast-ipv4 4 1000 1000 1000

icmp-unicast-ipv6 4 1000 1000 1000

igmp 6 2500 2500 2500

ip-exceptions 0 150 150 150

ipv4-options 2 150 150 150

ipv6-options 2 150 150 150

lacp 6 1000 1000 1000

lldp 6 500 500 500

loop-protect 7 1000 1000 1000

mvrp 6 1000 1000 1000

ntp 5 150 150 150

ospf-multicast-ipv4 6 2500 2500 2500

ospf-multicast-ipv6 6 2500 2500 2500

ospf-unicast-ipv4 6 2500 2500 2500

ospf-unicast-ipv6 6 2500 2500 2500

pim 6 1500 1500 1500

sflow 1 2000 2000 2000

ssh 5 500 500 500

stp 7 2500 2500 2500

telnet 5 500 500 500

udld 7 500 500 500

unknown-multicast 2 1500 1500 1500

unresolved-ip-unicast 2 1000 1000 1000

vrrp-ipv4 6 1000 1000 1000

vrrp-ipv6 6 1000 1000 1000

default 1 500 500 500

77

DHCP relayActive-Gateway

▪ 2 DHCP requests are relayed to 3rd party DHCP server.

▪ Due to 2 active-gateways.

▪ DHCP server will only serve the first received request.

78

Unidirectional Link Detection


▪ Utility of UDLD in the Campus:

– Patching mistakes: A-port1-TX -to- B-port2-Rx (instead of B-port1-Rx)

– 1G (fiber cut transition detection without UDLD, only after establishment)

– 10G standard

▪ Use UDLD mode aruba-os when connecting HPE Aruba switches

– Enable UDLD with ‘verify-then-forward’ mode

▪ RFC5171 mode to support interop with other network vendors

– Enable aggressive mode

CLIEnable UDLD

interface 1/1/1

udld

udld mode aruba-os verify-then-forward

Show Commands to Validate Functionality

show udld

show udld interface 1/1/1

swag-a1# show udld interface 1/1/18

Interface 1/1/18

Config: enabled

State: active

Substate: unblocked

Link: unblock

Version: aruba os

Mode: verify then forward

Interval: 7000 milliseconds

Retries: 4

Tx: 115642 packets

Rx: 162087 packets, 0 discarded packets, 0 dropped packets

Port transitions: 1

79

Unidirectional Link Detection1G - Fiber cut without UDLD

5510<5510HI-1-test>display transceiver interface g1/0/15

GigabitEthernet1/0/15 transceiver information:

Transceiver Type : 1000_BASE_SX_SFP

Connector Type : LC

Wavelength(nm) : 850

Transfer Distance(m) : 550(OM2),270(OM1)

Digital Diagnostic Monitoring : YES

Vendor Name : HPE

<5510HI-1-test>display transceiver diagnosis interface g1/0/15

GigabitEthernet1/0/15 transceiver diagnostic information:

Current diagnostic parameters:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

32 3.33 8.56 -40.00 -5.52

Alarm thresholds:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX

power(dBm)

High 81 3.80 44.00 0.00 3.00

Low 0 2.81 1.00 -16.99 -12.50

<5510HI-1-test>display interface g1/0/15

GigabitEthernet1/0/15

Current state: DOWN

Line protocol state: DOWN

Description: GigabitEthernet1/0/15 Interface

Bandwidth: 1000000 kbps

Maximum transmission unit: 1500

83208320-1# show interface 1/1/7 transceiver detail

Transceiver in 1/1/7

Interface Name : 1/1/7

Type : 1000SX

Connector Type : LC

Wavelength : 20995nm

Transfer Distance : 0.00m (SMF), 150m (OM1), 300m (OM2), 0m (OM3)

Diagnostic Support : DOM

Product Number : J4858C

Serial Number : CN817EK0XD

Part Number : 1990-3662

Status

Temperature : 21.47C

Voltage : 3.35V

Tx Bias : 4.08mA

Rx Power : 0.23mW, -6.38dBm

Tx Power : 0.29mW, -5.38dBm

Recent Alarms:

Recent Errors:

8320-1# sh int 1/1/7


Admin state is up

Description: to 5510 G1/0/15 - for UDLD test

Hardware: Ethernet, MAC Address: 98:f2:b3:68:64:d2

MTU 1500

Type 1000SX

qos trust none

Speed 1000 Mb/s

HPE 55010 Aruba 8320-1

G1/0/15 1/1/7

Tx

Tx

Rx

Rx

80

Unidirectional Link Detection1G - Fiber cut with UDLD

5510<5510HI-1-test>display transceiver interface g1/0/15

GigabitEthernet1/0/15 transceiver information:

Transceiver Type : 1000_BASE_SX_SFP

Connector Type : LC

Wavelength(nm) : 850

Transfer Distance(m) : 550(OM2),270(OM1)

Digital Diagnostic Monitoring : YES

Vendor Name : HPE

<5510HI-1-test>display transceiver diagnosis interface g1/0/15

GigabitEthernet1/0/15 transceiver diagnostic information:

Current diagnostic parameters:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

32 3.33 8.56 -40.00 -5.52

Alarm thresholds:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX

power(dBm)

High 81 3.80 44.00 0.00 3.00

Low 0 2.81 1.00 -16.99 -12.50

<5510HI-1-test>display interface g1/0/15

GigabitEthernet1/0/15

Current state: DOWN

Line protocol state: DOWN

Description: GigabitEthernet1/0/15 Interface

Bandwidth: 1000000 kbps

Maximum transmission unit: 1500

83208320-1# show udld interface 1/1/7

Interface 1/1/7

Config: enabled

State: active

Substate: blocked

Link: block

Version: aruba os

Mode: verify then forward

Interval: 7000 milliseconds

Retries: 4

Tx: 92 packets

Rx: 0 packets, 0 discarded packets, 0 dropped packets

Port transitions: 0


Interface 1/1/7 is down

Admin state is up

Description: to 5510 G1/0/15 - for UDLD test

Hardware: Ethernet, MAC Address: 98:f2:b3:68:64:d2

MTU 1500

Type 1000SX

qos trust none

Speed 1000 Mb/s

HPE 55010 Aruba 8320-1

G1/0/15 1/1/7

Tx

Tx

Rx

Rx

81

Unidirectional Link Detection10G - Fiber cut without UDLD

8320-18320-1# show interface 1/1/9 transceiver detailTransceiver in 1/1/9Interface Name : 1/1/9Type : SFP+SRConnector Type : LCWavelength : 20995nmTransfer Distance : 0.00m (SMF), 30m (OM1), 80m (OM2), 300m (OM3)Diagnostic Support : DOMProduct Number : J9150ASerial Number : MY77FFD38PPart Number : 1990-4175

StatusTemperature : 20.90CVoltage : 3.38VTx Bias : 8.44mARx Power : 0.00mW, -infTx Power : 0.56mW, -2.52dBm

Recent Alarms:Rx Power low alarmRx Power low warning

Recent Errors:


Interface 1/1/9 is downAdmin state is upState information: Waiting for linkDescription:Hardware: Ethernet, MAC Address: 98:f2:b3:68:64:d2MTU 1500Type SFP+SRqos trust noneSpeed 10000 Mb/s

8320-28320-2# show interface 1/1/9 transceiver detailTransceiver in 1/1/9Interface Name : 1/1/9Type : SFP+SRConnector Type : LCWavelength : 20995nmTransfer Distance : 0.00m (SMF), 30m (OM1), 80m (OM2), 300m (OM3)Diagnostic Support : DOMProduct Number : J9150ASerial Number : MY77FFD0XNPart Number : 1990-4175

StatusTemperature : 26.08CVoltage : 3.34VTx Bias : 8.48mARx Power : 0.56mW, -2.52dBmTx Power : 0.65mW, -1.87dBm

Recent Alarms:

Recent Errors:


Interface 1/1/9 is downAdmin state is upState information: Waiting for linkDescription:Hardware: Ethernet, MAC Address: 98:f2:b3:68:44:38MTU 1500Type SFP+SRqos trust noneSpeed 10000 Mb/s

Aruba 8320-1 Aruba 8320-2

1/1/9 1/1/9

Tx

Tx

Rx

Rx

82

IPv4 Multicast Features


▪ PIM

– Support for sparse mode

– Support for BSR or static RP configurations

– Is “VRF” aware

– Use a LAG for RP interface

▪ IGMP

– Interop with V1, V2, and V3

– Support for static-joins

CLIEnable PIM Globally (for default VRF)

router pim <vrf> <VRF name>enablerp-candidate source-ip-interface lag1 rp-candidate group-prefix 239.0.0.0/8 bsr-candidate source-ip-interface lag1 bsr-candidate priority 10

Configure PIM per interface

interface vlan141ip pim-sparce enable

Configure IGMP

interface vlan141ip igmp enableip igmp version 2

Commands for Verification

show ip igmpshow ip mrouteshow ip pimshow ip pim bsrshow ip pim interfaceshow ip pim nei

83

Other


– DHCP snooping / trust port

CLIdhcp-snoopingdhcp-snooping authorized-server 192.168.250.1dhcp-snooping authorized-server 192.168.250.2dhcp-snooping vlan 247-251

interface 1/7dhcp-snooping trustname "connection to ESXi"interface Trk10dhcp-snooping trustname "mclag-to-8320"

Thank You

campus network design best practicesbps.moph.go.th/new_bps/sites/default/files/campus...5 aruba...

Documents